Debian Xen vulnerabilities

CVE-2015-2045 [LOW] CVE-2015-2045: xen - The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properl... The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local guest users to obtain sensitive information via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.4.1-8) bullseye: resolved (fixed in 4.4.1-8) forky: resolved (fixed in 4.4.1-8) sid: resolved (fixed in 4.4.1-8) trixie: resolved (fi

CVE-2015-3340 [LOW] CVE-2015-3340: xen - Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain... Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. Scope: local bookworm: resolved (fixed in 4.6.0-1) bullseye: resolved (fixed in 4.6.0-1) forky: resolved (fixed in 4.6.0-1) sid: resolved (fixed in 4.

CVE-2015-6654 [LOW] CVE-2015-6654: xen - The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x, 4.4.x, and... The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x, 4.4.x, and earlier does not limit the number of printk console messages when reporting a failure to retrieve a reference on a foreign page, which allows remote domains to cause a denial of service by leveraging permissions to map the memory of a foreign guest. Scope: local bookworm: resolved (fixed in 4.

CVE-2015-2152 [LOW] CVE-2015-2152: xen - Xen 4.5.x and earlier enables certain default backends when emulating a VGA devi... Xen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compi

CVE-2015-7972 [LOW] CVE-2015-7972: xen - The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__b... The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to "heavy memory pres

CVE-2015-1563 [LOW] CVE-2015-1563: xen - The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows local guest... The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows local guests to cause a denial of service by causing a large number messages to be logged. Scope: local bookworm: resolved (fixed in 4.4.1-7) bullseye: resolved (fixed in 4.4.1-7) forky: resolved (fixed in 4.4.1-7) sid: resolved (fixed in 4.4.1-7) trixie: resolved (fixed in 4.4.1-7)

CVE-2015-7813 [LOW] CVE-2015-7813: xen - Xen 4.4.x, 4.5.x, and 4.6.x does not limit the number of printk console messages... Xen 4.4.x, 4.5.x, and 4.6.x does not limit the number of printk console messages when reporting unimplemented hypercalls, which allows local guests to cause a denial of service via a sequence of (1) HYPERVISOR_physdev_op hypercalls, which are not properly handled in the do_physdev_op function in arch/arm/physdev.c, or (2) HYPERVISOR_hvm_op hypercalls, which are not properl

CVE-2015-7311 [LOW] CVE-2015-7311: xen - libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on d... libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image. Scope: local bookworm: resolved (fixed in 4.8.0~rc3-1) bullseye: resolved (fixed in 4.8.0~rc3-1) forky: resolved (fixed in 4.8.0~rc3-1) sid: resolved (fixed in 4.8.0~rc3-1) trixie: reso

CVE-2014-1666 [HIGH] CVE-2014-1666: xen - The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x... The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors. Scope: local bookworm: resolved (fixed in 4

CVE-2014-7188 [HIGH] CVE-2014-7188: xen - The hvm_msr_read_intercept function in arch/x86/hvm/hvm.c in Xen 4.1 through 4.4... The hvm_msr_read_intercept function in arch/x86/hvm/hvm.c in Xen 4.1 through 4.4.x uses an improper MSR range for x2APIC emulation, which allows local HVM guests to cause a denial of service (host crash) or read data from the hypervisor or other guests via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.4.1-3) bullseye: resolved (fixed in 4.4.1-3) forky:

CVE-2014-5147 [MEDIUM] CVE-2014-5147: xen - Xen 4.4.x, when running a 64-bit kernel on an ARM system, does not properly hand... Xen 4.4.x, when running a 64-bit kernel on an ARM system, does not properly handle traps from the guest domain that use a different address width, which allows local guest users to cause a denial of service (host crash) via a crafted 32-bit process. Scope: local bookworm: resolved (fixed in 4.4.1-1) bullseye: resolved (fixed in 4.4.1-1) forky: resolved (fixed in 4.4.1-1

CVE-2014-5148 [MEDIUM] CVE-2014-5148: xen - Xen 4.4.x, when running on an ARM system and "handling an unknown system registe... Xen 4.4.x, when running on an ARM system and "handling an unknown system register access from 64-bit userspace," returns to an instruction of the trap handler for kernel space faults instead of an instruction that is associated with faults in 64-bit userspace, which allows local guest users to cause a denial of service (crash) and possibly gain privileges via a crafted

CVE-2014-7155 [MEDIUM] CVE-2014-7155: xen - The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and ... The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1) HLT, (2) LGDT, (3) LIDT, or (4) LMSW instruction. Scope: local bookworm: resolved (fixed in 4

CVE-2014-3672 [MEDIUM] CVE-2014-3672: xen - The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS us... The qemu implementation in libvirt before 1.3.0 and Xen allows local guest OS users to cause a denial of service (host disk consumption) by writing to stdout or stderr. Scope: local bookworm: resolved (fixed in 4.4.0-1) bullseye: resolved (fixed in 4.4.0-1) forky: resolved (fixed in 4.4.0-1) sid: resolved (fixed in 4.4.0-1) trixie: resolved (fixed in 4.4.0-1)

CVE-2014-1895 [MEDIUM] CVE-2014-1895: xen - Off-by-one error in the flask_security_avc_cachestats function in xsm/flask/flas... Off-by-one error in the flask_security_avc_cachestats function in xsm/flask/flask_op.c in Xen 4.2.x and 4.3.x, when the maximum number of physical CPUs are in use, allows local users to cause a denial of service (host crash) or obtain sensitive information from hypervisor memory by leveraging a FLASK_AVC_CACHESTAT hypercall, which triggers a buffer over-read. Scope: loc

CVE-2014-1950 [MEDIUM] CVE-2014-1950: xen - Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen 4.1.x thr... Use-after-free vulnerability in the xc_cpupool_getinfo function in Xen 4.1.x through 4.3.x, when using a multithreaded toolstack, does not properly handle a failure by the xc_cpumap_alloc function, which allows local users with access to management functions to cause a denial of service (heap corruption) and possibly gain privileges via unspecified vectors. Scope: local

CVE-2014-2599 [MEDIUM] CVE-2014-2599: xen - The HVMOP_set_mem_access HVM control operations in Xen 4.1.x for 32-bit and 4.1.... The HVMOP_set_mem_access HVM control operations in Xen 4.1.x for 32-bit and 4.1.x through 4.4.x for 64-bit allow local guest administrators to cause a denial of service (CPU consumption) by leveraging access to certain service domains for HVM guests and a large input. Scope: local bookworm: resolved (fixed in 4.4.1-1) bullseye: resolved (fixed in 4.4.1-1) forky: resolve

CVE-2014-3967 [MEDIUM] CVE-2014-3967: xen - The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x does not properly c... The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x does not properly check the return value from the IRQ setup check, which allows local HVM guest administrators to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors. Scope: local bookworm: resolved (fixed in 4.4.1-1) bullseye: resolved (fixed in 4.4.1-1) forky: resolved (fix

CVE-2014-1642 [MEDIUM] CVE-2014-1642: xen - The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and configur... The IRQ setup in Xen 4.2.x and 4.3.x, when using device passthrough and configured to support a large number of CPUs, frees certain memory that may still be intended for use, which allows local guest administrators to cause a denial of service (memory corruption and hypervisor crash) and possibly execute arbitrary code via vectors related to an out-of-memory error that

CVE-2014-3124 [MEDIUM] CVE-2014-3124: xen - The HVMOP_set_mem_type control in Xen 4.1 through 4.4.x allows local guest HVM a... The HVMOP_set_mem_type control in Xen 4.1 through 4.4.x allows local guest HVM administrators to cause a denial of service (hypervisor crash) or possibly execute arbitrary code by leveraging a separate qemu-dm vulnerability to trigger invalid page table translations for unspecified memory page types. Scope: local bookworm: resolved (fixed in 4.4.1-1) bullseye: resolved